Hi Stas, On Tue, Jan 26, 2016 at 7:28 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > I've already have/will have 3 RFC for session. > This one, session_id() and user space serialize handler. > https://github.com/php/php-src/pull/1732 > I would like not to have too many RFCs for session.
I would like to make PHP more secure. Session is only a part of it. I have https://wiki.php.net/rfc/dbc2 https://wiki.php.net/rfc/secure_serialization https://wiki.php.net/rfc/introduce-type-affinity https://wiki.php.net/rfc/script_only_include and so on. Even there will new RFCs such as automatic CSRF protection when this RFC is finished and URL rewriter bug is fixed. I also have https://bugs.php.net/bug.php?id=68599 https://bugs.php.net/bug.php?id=55391 https://bugs.php.net/bug.php?id=68728 https://bugs.php.net/bug.php?id=69791 and so on Three RFCs for session is just too much for me already... Anyway, we may be better to talk about how it should be. For this thread, how session management should be. It's just not good enough currently. Besides exploiting PHP session is too easy, random lost sessions is not acceptable. Weak defaults are not acceptable also. Let's talk about what's missing still even with this RFC to make session secure/stable if any. Better ideas are welcomed. If there is, I'll implement it. Let's finish mandatory work and move on. Thanks, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
